sb-au logo
Story image

Zero-day Internet Explorer vulnerability exploited in the wild

25 Sep 2019

On September 23, Microsoft released an out-of-band patch for a zero-day vulnerability in Internet Explorer that has been exploited in the wild.

Exploiting the vulnerability gives an attacker the same privileges as the current user.

Tenable senior security response manager Satnam Narang shares his findings on the vulnerability.

Analysis

CVE-2019-1367 is a memory corruption vulnerability in Internet Explorer’s scripting engine in the way that objects in memory are handled.  

Exploitation of this vulnerability could result in the attacker gaining arbitrary code execution under the same privileges as the current user.

In the event that the current user has administrative privileges, an attacker could perform various actions on the system, from creating a new account with full privileges to installing programs or even modifying data.

To exploit the vulnerability, an attacker would have to host the exploit on a malicious website and socially engineer a user into opening that website in Internet Explorer.

In the case of a targeted attack, an attacker could include a link to the malicious website in an email or in a malicious email attachment (HTML file, PDF file, Microsoft Office document) that supports embedding the scripting engine content.

The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG).

Earlier this year, Lecigne discovered and reported two zero-day vulnerabilities: a use-after-free vulnerability in Google Chrome (CVE-2019-5786) and an elevation of privilege vulnerability in Microsoft Windows (CVE-2019-0808) that were exploited together in the wild.

Additional details about the in-the-wild exploitation of this vulnerability have not yet been made public by Lecigne and Google’s TAG, though we anticipate such details will be disclosed in a blog post in the near future.

Solution

Microsoft released an out-of-band patch for this vulnerability due to the report that it has been exploited in the wild.

Please refer to the Security Updates section for additional information on the IE Cumulative Update or relevant Security Updates.

Additionally, Microsoft has provided workarounds for both 32-bit and 64-bit systems by restricting access to the JScript.dll file.

An administrator can do so by entering specific commands into the command prompt; the commands are available at the end of the Microsoft security advisory page.

However, these workarounds should only be used as a temporary measure until patching is feasible.

Commands to revert the workarounds are also available on the Microsoft security advisory page.

ESET cybersecurity specialist Jake Moore says, “The importance of patching has never been so important and not just for those ‘early adopters’.

“Luckily there is a minimal share of the public still using IE as a browser, but it’s worth noting this could still have damaging consequences.”

Trustwave SpiderLabs EMEA director Ed Williams says, “The release of this patch underlines the importance of regular patching on an environment.

“It also highlights the importance of regular asset identification and vulnerability scanning of environments, for example, knowing what to patch once a vulnerability has been identified.

“We know that attackers are flexible and dynamic and will be looking to further leverage this vulnerability to suit their needs, be it financial or otherwise.

“While Internet Explorer isn’t as popular as it once was, it is still a rich target for attackers, and with the release of this patch, further emphasises why it is a business risk when compared to other browsers.

Story image
ESET launches the latest version of its Mobile Security solution
“With this latest version of ESET Mobile Security, we want to ensure our users feel completely secure when performing financial transactions on their devices, in addition to being protected from malware and phishing attempts."More
Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More
Story image
5 ways to use data science to predict security issues - Forcepoint
Data science enables people to respond to problems in a better way, and to also understand those problems in a way that would not have been possible 50 years ago.More
Story image
Global attack volume down, but fraud and cyber threats still going strong
“The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry."More
Story image
Report: Rushing into cloud migration directly related to security issues
A new report from Radware highlights the impact of COVID-19 on organisations compelled to digitally transform in order to maintain business continuity. More
Story image
Yubico launches latest YubiKey with NFC & USB-C support
Yubico has released a new hardware authentication key, designed to provide security through both near-field communication (NFC) and USB-C connections and smart card support.More